This invention relates to the field of detecting changes to digital information using digital signatures, and more particularly, to a technique for integrity checking an executable module loaded into memory by an operating system loader at other than a default location.
A class of computer applications exist in which certain operations are performed, using certain data, either or both of which must be maintained secret. In general, this is not a problem since most users will simply use the application for its intended purpose and are unconcerned with the secrets contained therein. However, some users (i.e., xe2x80x9chackersxe2x80x9d) may try to pry into the application and its components, either to reveal the internal secrets or to modify the application in such a way as to perform restricted or prohibited operations. In general, hackers typically employ either static disassembly and analysis, or live debugging of the subject application in order to learn its operations. Once learned, the hacker can then modify the application according to an intended purpose. In response, tamper-resistant techniques are often applied to an application to inhibit these hacking attempts.
A variety of means can be employed to make an application and its components tamper-resistant. One of these is to make a digital xe2x80x9cfingerprintxe2x80x9d or signature of the application and its binary information. During initialization or at run-time (or both), modification of the protected application can be detected via an examination of this digital fingerprint in comparison to the current binary state of the application. When such activities or modifications are detected, the protected application can then intentionally fail in such a way that the secrets contained within are not exposed.
In general, a fingerprint or cryptographic check sum of a range of binary information is trivial to compute. However, for complex programs in the Windows or equivalent environment, there are issues that present problems in making the computations repeatable under all circumstances. For example, in such environments, the operating system loader does not always load the application program and its component modules (especially the component modules) at the same virtual address each time. If a module always loads at the same address, then a check sum across its bits as loaded into memory will always yield the same result. However, if the loader must xe2x80x9crelocatexe2x80x9d an executable module of an application program to a different base address within the virtual address space, then the loader will fix up certain code and data pointers within the loaded module so that code and data references continue to point to the proper, relocated addresses within the module. This is desired operation for the module so that it continues to function identically regardless of its load address, but is a problem for tamper-resistant measures since it virtually guarantees that a check sum (i.e., digital signature) of the module""s loaded memory locations will not yield the same result, that is, compared with the application module on disk or loaded to a default location in memory. Thus, although the fix up of certain code and data pointers within the application module resulting from relocation of the module in memory is to be expected, these fix ups resemble to tamper-resistance code unauthorized modifications (i.e., tampering).
The problem solved by this invention, therefore, is to create a repeatable digital signature for a given executable module regardless of where in memory an operating system loader locates the module. Providing repeatability allows use of the digital signature in a tamper-resistance technique.
To briefly summarize, in a first aspect, a method is provided for checking integrity of an executable module loaded into memory. The method includes: determining a load address at which the executable module is loaded in memory; normalizing at least some content of the executable module in memory to obtain normalized content corresponding to the at least some content, the normalizing employing the load address at which the executable module is loaded in memory; and performing integrity analysis of the module""s content, including the normalized content.
In another aspect, a system for checking integrity of an executable module loaded into memory is provided. The system includes means for determining a load address at which the executable module is loaded in memory, and means for normalizing at least some content of the executable module in memory to obtain normalized content corresponding to the at least some content. The means for normalizing includes means for employing the load address of the executable module in the memory. The system further includes means for performing integrity analysis of a digital section of the module""s content, including the normalized content.
In a further aspect, an article of manufacture is provided which includes a computer program product having computer usable medium with computer readable program code means therein for use in checking integrity of an executable module loaded into memory. The computer readable program code means in the computer program product includes: computer readable program code means for causing a computer to effect determining a load address at which the executable module is loaded in memory; computer readable program code means for causing a computer to effect normalizing at least some content of the executable module in memory to obtain normalized content corresponding to the at least some content, the normalizing employing the load address of the executable module in memory; and computer readable program code means for causing a computer to effect performing integrity analysis of a digital section of the module""s content, including the normalized content.
To restate, provided herein is a technique for performing integrity checking of an executable module of an application program subsequent to loading of the executable module into memory by an operating system loader, particularly at other than a default address. The integrity checking comprises generating a repeatable digital signature of the in-memory image of the loaded executable. The digital signature can then be used for initial validation of the loaded image and for subsequent real-time monitoring against changes to those bits in memory. Using the present invention, the in-memory bits can be employed as a form of validating signature before allowing an executable or DLL to access a protected resource. Another advantage is the ability to detect whether, after the executable has been loaded and verified, the in-memory image has been dynamically modified.